Low-Power Lossy Networks (LLNs) may be used in a variety of applications, including intelligent power distribution networks, so called “Smart Grid” applications. Due to the embedded nature of LLNs, they are typically deployed in public and uncontrolled environments. For this reason, implementing strong security in LLNs is an application requirement.
The IEEE 802.1X standard provides a method for network access control. An IEEE 802.1X authentication involves three entities:
Supplicant: a device that wishes to join a network.
Authenticator: a network device (i.e., switch or access point) that a Supplicant communicates with to gain access to the network.
Authentication Server: a device that the Authenticator communicates with to validate the credentials of a Supplicant.
In traditional networks, the Supplicant and Authenticator are in direct link-layer communication. For example, in Ethernet switched networks, the access switch (irrespective of whether it is running as a Layer 2 or Layer 3 switch) terminates the authentication exchange with the end host. In IEEE 802.11 (WiFi™) wireless networks the access point terminates the authentication exchange when running in autonomous mode. If the access point is running in a split media access control (MAC) mode, then the wireless controller terminates the authentication process.
However, the large-scale and ad-hoc nature of LLNs require an architecture that allows a Supplicant and Authenticator to communicate over multiple routed Internet Protocol (IP) hops. In an Advanced Meter Infrastructure (AMI) deployment, the Authenticator is hosted on one or more Field Area Routers and LLN devices may use several IP hops to reach a Field Area Router. There may be thousands of LLN devices all of which, at some point in time, need to be authenticated.